Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensure all conn.log entries are tagged "ics" for OT protocols #541

Open
mmguero opened this issue Dec 19, 2024 · 0 comments
Open

ensure all conn.log entries are tagged "ics" for OT protocols #541

mmguero opened this issue Dec 19, 2024 · 0 comments
Assignees
@mmguero
Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Milestone
v25.01.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Dec 19, 2024

We need to make sure that all conn.log entries get tagged with ics when an ICS protocol is detected.

This is maybe already supposed to be handled but I don't see it is being done in every case. I wonder if it's actually an issue in the parsers. Some of them seem to be setting the service correctly (bacnet, s7comm) but I don't think that all of them.

So here's what needs to happen:

  • Go through all the ICSNPP parsers and make sure that when the protocol is detected, it sets the conn.log's service to the protocol name; if not, this will have to be submitted as a PR to that repository
  • Check the logstash code (linked above in 11_lookups.conf) to set the ics value into the tags field
  • Verify for all of the ICS protocols we support that the tag gets set for conn.log of that protocol
@mmguero mmguero added enhancement New feature or request logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek labels Dec 19, 2024
@mmguero mmguero added this to the v25.01.0 milestone Dec 19, 2024
@mmguero mmguero added this to Malcolm Dec 19, 2024
@mmguero mmguero moved this to Todo (develop) in Malcolm Dec 19, 2024
@mmguero mmguero added the ics Relating to ICS (Industrial Control Systems) devices label Dec 19, 2024
@mmguero mmguero self-assigned this Jan 8, 2025
@mmguero mmguero moved this from Todo (develop) to In Progress in Malcolm Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request ics Relating to ICS (Industrial Control Systems) devices logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: In Progress
Milestone
v25.01.0
Development

No branches or pull requests
1 participant
@mmguero